Data protection – what do you need to know?
Cyber security is of increasing concern to both businesses and their customers. There doesn’t seem to be a month that goes by without one company or organisation falling foul of the laws or victim to a cyber attack, with personal data leaked to the media or worse.
Data protection compliance is all too often seen as just a box-ticking exercise. But the risks to businesses in terms of reputational damage and tough financial penalties are very real.
So what do businesses really need to know?
The most common data held by an organisation is personal information – for example, names, email addresses, telephone numbers, dates of birth etc. Personal data may also extend to medical records, bank account details and notes written about an individual, for example following an employee’s annual review.
An organisation can only collect personal data if it has a legitimate reason for doing so, and should only collect the information it requires at that time. When collecting personal data, you must tell that individual what you intend to do with it. For example, if a business collects a customer’s email address to confirm an order, it must say so.
If a business wishes to use someone’s personal data for marketing purposes, that individual must be told. It is good practice to do this when collecting that data. In some instances, email or text message marketing for example, a business is generally required to obtain the individual’s explicit consent.
Businesses that hold personal data must appoint a data controller and register that individual with the Information Commissioner’s Office.
There is little point in an organisation collecting data if it has no intention of using it. It is here, however, that businesses all too often and inadvertently break the rules.
The main point to remember is that data should only be used for the reason it was collected. For example, calls between staff and customers recorded for ‘training purposes’ should not then be used to discipline a member of staff.
If a business wants a third party to manage data, such as an external payroll bureau or a marketing agency, it is important to remember that you will remain responsible for that data. It is advisable to have a formal contract that covers the use of that data with any third
Caution is also needed with regards to transferring data outside of the EU. This does not mean the wholesale movement of databases from one country to another, but the simple act of emailing contacts on a database that might be in another country. Different data protection regulations apply in different countries and you would not inadvertently wish to break any rules.
Most businesses will use data collected to drive marketing and sales activity. Businesses must check that the recipient is aware that their data may be used in this way and that they do not object. The rule of thumb is that a business will need an individual’s express consent, an opt-in, for email and text message marketing.
This is not generally required for existing customers, where an opt-out option is available.
Cyber attacks are on the rise, and are considered by many experts to be the main threat facing businesses and organisations around the world. Attacks can come from anywhere and at any time, from lone individuals, disaffected campaign groups or deliberate acts of cyber terrorism.
Businesses must identify and understand the risks faced, and the assets that may be targeted. These might include:
- Customer databases;
- Financial information;
- IT services, such as the ability to make online payments;
- Intellectual property; and
- Sensitive personal information.
The impact of a cyber attack to a business can be severe, including financial loss, reputational damage and regulatory sanctions.
Businesses are required under the Data Protection Act legislation to ensure that data is kept secure. The legislation does not explain how businesses should comply with that requirement, but will expect to see robust IT security, evidence of educating employees as to the risks and some degree of business continuity planning.
Individuals who believe their data is being misused, either inadvertently or via a cyber attack can complain to the Information Commissioner’s Office, which can, depending on the seriousness of the breach, issue fines of up to £500,000.
Widespread reform of data protection legislation is being proposed by the EU that could see fines increase up to €100 million. Now is the time for businesses to put their houses in order.
Cyber risk checklist
- Do you have a documented internet, IT and data protection strategy?
- Do you have an up to date social media policy for employees?
- Do you have policies that cover employees handling sensitive customer or client information?
- What is your IT security strategy and is it up to date?
- Is there adequate training for front line staff so they recognise the latest threats?
- Have you appointed a data controller and registered with the Information Commissioner’s Office?